code review request: 7149012: jarsigner needs not warn about cert expiration if the jar has a TSA timestamp
Xuelei Fan
Xuelei.Fan at Oracle.COM
Wed Feb 29 15:32:46 UTC 2012
So far, I only have a very minor comment:
The block from line 875 to 880 is a little overlapped with lines 884 to
889. Is it possible to improve the code?
I'm not sure whether it is better to not-show the warning for
timestamped signatures with expired certificates. Need more time to
understand the scenarios of time-stamping in JarSigner. Does the
validity of TSA certificate is also checked?
Xuelei
On 2/27/2012 3:00 PM, Weijun Wang wrote:
> Hi All
>
> Please take a look at this code change:
>
> http://cr.openjdk.java.net/~weijun/7149012/webrev.00/
>
> Jarsigner will not print a warning if the signer cert is expired but a
> timestamp shows the jar was signed before the expiration date.
>
> Another change is that the chainNotValidated flag now does not cover
> hasExpiredCert and notYetValidCert anymore. The result is that when
> trying to sign (or verify) with an expired cert, instead of the
> duplicated and somewhat confusing
>
> The signer certificate has expired.
> The signer's certificate chain is not validated.
>
> warnings, user will only see
>
> The signer certificate has expired.
>
> User will still see the chainNotValidated warning if the CertPath is not
> validated because of other reasons.
>
> On the other hand, since these 3 flags share the same exit code (4),
> users will not notice the exit code change when -strict is on.
>
> There is no regression test added to the openjdk repository because it's
> not easy to generate a timestamp with an old date. I have found an old
> signed jar with a timestamp and signed by a now-expired cert. I will
> include these binary files into the jdk/test/closed repository and the
> test is a simple "jarsigner -verify -strict" call.
>
> Thanks
> Max
>
> -------- Original Message --------
> *Change Request ID*: 7149012
>
> *Synopsis*: jarsigner needs not warn about cert expiration if the jar
> has a TSA timestamp
>
> === *Description*
> ============================================================
> If the cert used to sign a jar is expired, jarsigner will print out a
> warning, and if -strict is specified, exits with an error. However, if
> there is a TSA timestamp attached to the jar (and the timestamp is shown
> to be before the expiration), it's completely valid and jarsigner should
> not report any warning or error.
>
More information about the security-dev
mailing list